Description

Mozilla security researcher moz_bug_r_a4 reported that
through an interaction of frames and browser history it was possible to make the
browser believe attacker-supplied content came from the location of a previous
page in browser history. This allows for cross-site scripting (XSS) attacks by
loading scripts from a misrepresented malicious site through relative locations
and the potential access of stored credentials of a spoofed site.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products.